I've tried twice to reply to your first response. I am not sure why it is
not posting.
I am going to try again.
>First. LDAP (authentication) is only 1/2 of the big picture. You will
>still need configure authorization on the repo's themselves.
I have done this already. I have a separate configuration file for each
repository. That looks like this:
<Location /RepositoryName>
dav svn
SVNPath /disk01/home/RepositoryName
AuthType Basic
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthzLDAPAuthoritative off
AuthName "CSC Subversion Repository"
Require valid-user
Require ldap-group CN=ADGroupName,OU=Europe,OU=Groups,DC=fcg,DC=com
Require ldap-user pmoss
</Location>
I have defined the LDAP Aliases in the very first repository configuration
file; as such:
<AuthnProviderAlias ldap ldap-FCGNET>
AuthLDAPBindDN FCGNET\svnuser
AuthLDAPBindPassword xxxxxxxxx
AuthLDAPURL
ldap://xxxxxx.fcg.com:3268/DC=fcg,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-VIET>
AuthLDAPBindDN "CN=fcgvuser,OU=Service
Accounts,OU=Users,OU=Production,DC=vdc,DC=csc,DC=com"
AuthLDAPBindPassword xxxxxxxxxxx
AuthLDAPURL
ldap://xxxxx.vdc.csc.com:3268/DC=vdc,DC=csc,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>
>Second, Its hard to help troubleshoot when you don't provide useful
>information or a direct question. Was there something you needed help
>with? I didnt see any questions other than "Can someone lend a hand in
>figuring out what I have done wrong, or need to do?"
I think that I have 2 separate issues:
1. I need to lock down access so that only the users in the associated AD
group have access to the repository.
2. I need to be able to allow just my user account access to the
repositories, without having to be added to all of the AD groups.
Right now;
All, valid, users can access all repositories, whether they are a member
of the Active Directory group or not.
When I remove the "Require valid-user" line then no one, including the
members of the Active Directory group, can access the repository.
PATI MOSS
System Engineer Sr. Professional
CSC
From:
opensrcguru <opensrcg...@gmail.com>
To:
users@subversion.apache.org
Date:
11/09/2010 02:12 PM
Subject:
Re: locking down access to a repository
On Tue, Nov 9, 2010 at 12:54 PM, Patricia A Moss <pmo...@csc.com> wrote:
I appreciate all of the help that I am receiving. I have still not been
successful in resolving this.
I removed the line:
Require valid-user
I have tried using:
?samAccountName?sub?(objectClass=*)
Instead of:
?samAccountName?sub?(objectCategory=person)
That is the only difference I see in my config files and the examples in
the google hits. Yet I am still not successful in accessing the
repository.
I am, apparently, quite a novice with SVN, LDAP and ActiveDirectory
because I am really confused as to how to proceed.
PATI MOSS
System Engineer Sr. Professional
CSC
From:
kmra...@rockwellcollins.com
To:
Patricia A Moss/USA/c...@csc
Cc:
users@subversion.apache.org
Date:
11/09/2010 11:13 AM
Subject:
Re: locking down access to a repository
Patricia A Moss <pmo...@csc.com> wrote on 11/09/2010 09:41:42 AM:
> From: Patricia A Moss <pmo...@csc.com>
> To: kmra...@rockwellcollins.com
> Cc: users@subversion.apache.org
> Date: 11/09/2010 09:41 AM
> Subject: Re: locking down access to a repository
>
>
> >I don't think you want the "Require valid-user" line, since by
> default it uses
> >ANY of the Require lines as matches. (And in your case valid-user
> matches all
> >users so it doesn't care you are also specifying a group and an user.)
>
> But if I remove that line then no one can access the repository.
I think you also may need to be less specific with your ldapurl (remove
the
objectclass or use * ??):
(Assuming active directory, this is like what I have used in the past)
AuthLDAPURL "ldap://
ad.example.com/ou=group,dc=example,dc=com?sAMAccountName"
AuthLDAPGroupAttribute member
Require ldap-group ...
It has been quite awhile since I used ldap groups instead of authz
files...
This first google hit has some examples:
http://www.held-im-ruhestand.de/software/apache-ldap-active-directory-authentication
As does this one:
http://ramblings.gibberishcode.net/archives/apache-22-and-active-directory-and-group-restrictions/36
Kevin R.
Although this is probably better suited for the apache/mod_ldap list, I'll
attempt to help.
do your domain controllers support unencrypted binds (very dangerous)?
can you supply any apache/AD debug logs?
can you supply versions of apache/mod_ldap?
can you describe anything that is knows to be working?
...this should be pretty straight forward to troubleshoot if you give us
some useful information to work with.
I speak without a full understanding of the lists user base, but I bet
none of them can or ever will be able to read the minds of the end user
with a problem (let alone know how their systems are configured). If there
is such a wonderful beasty, I'd be mighty interested in meeting them.
/OSG
